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REMARKS/ARGUMENTS 

AppUcant thanks Examiner Abrishamkar for his helpful and courteous comments 
during the 29 November 2005 teleconference. Based on that teleconference, applicant 
offers this Supplemental Amendment without prejudice or disclaimer, to advance 
prosecution and simplify issues presented for further examination. 

During the 1 1/29/05 interview, applicant Tim Simms explained that, with 
increasing use of mobile and portable platforms, there is a need for relatively 
invulnerable privacy and/or authentication techniques that don't necessarily require keys 
to be resident on the computing devices. Tim Sirams explained that his patent 
application discloses an exemplary non-limiting "secure channel protocol" 
implementation that can provide strong encryption and authentication based on a 
password or other authenticator a user has and shares with a server, 

Tim Simms explained his disclosed non-limiting exemplary implementation to the 
Examiner, and contrasted his approach with the approach described in the Bellovin 
reference which the USPTO has relied on to reject the claims,^ Tim ftirther discussed 
aspects of the technology in connection with the textbook by Bruce Schneier, Applied 



' The Exanmier rejected claiins 1, 4-U, 13-16, 18, 20, 21, 24^36, 39, 40, 43^5, 47-51, 57^89, 1 12-121, 
124-131, 133-137, and 144-147 \mder35 U.S.C. 102(b) as allegedly anticipated by U.S. Patent No. 5,421,599 
BeUovijd, et al. f'Bcllovm*'). OfGce Action mailed 7 March 2005 at 3. The Examiner rejected claims 2, 3, 
12^2,23,3738,52,90'.111» 122, 123, 152 under35 U.S.C. § 103(a) as allegedly unpatentable over Bellovin in view 
of U.S. Patent No. 6,018,581 to Shona, ct al,, f^Sbona"). Id. at 15. Claims 17,41,42,46, 138-141 were also rejected 
under 35 U.S.C. § 103(a) as allegedly unpatentable over BeUovin m view of U.S. Patent No. 6,539,749 to Wu 
("Wu"). Id. at 22. Claims 142 and 143 weie rejected under 35 U.S.C. § 103(a) as allegedly ui^atentable over 
Bellovin and Wu m view of U.S. Patent No, 5,434,918 to Kong, ct al., CTfCuns")- Jd. at 5, Claims 54-56, 132, 148- 
151, and 153 were rejected under 35 U.S.C. 103(a) as allegedly uiqjatcntable over Bellovio in view of U.S. Patent 
No. 5,365,589 Gutowit? ("Gutowitz"). Id. at 26. Fijoally, Claim 19 was rejected under 35 U.S-C. § 103(a) as 
allegedly xmpatentablc over Bellovin in view of U.S. Patent No. 6,115,817 to Wbitmire ("Wbitmire"). Id at 28. 
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Cryptography: Protocols. Algorithms and Source Code in C (2d Ed. John Wiley & Sons 
1996). The Exarainer confirmed that he has access to a complete copy of this well- 
known textbook. 

Examiner Abrishamkar said that he saw definite differences between Bellovin's 
protocol and applicant's techniques, but requested applicant to fiirther revise bis 
independent claims to more positively point out the differences. Applicant agreed to 
consider the request and submit additional claim revisions. 

Amendments to the Claims 

To simplify prosecution, applicant is cancelling (or has cancelled) many claims 
without prejudice or disclaimer e,g., to further prosecution in a continuation, 
continuation-in-part, divisional, or other related application. Independent claims 1, 24 and 
112, and dependent claims 2^3, 5-9, 26-31, 36, 38-56, 113-120, 122-123, 127-143 & 149- 
151 remaLn pending. 

To more particularly point out the claimed subject matter, applicant has ameiaded 

independent claim 1 to recite, in combination: 

"transmitting a first message j&om said second 
commimicating party to said first communicating party, said 
first message including said first shared random number, and 
said first message being encoded with a symmetric encryption 
key; transmitting a second message from said first 
communicating party to said second commimicating party, 
said second message including said second shared random 
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number, and said second message being encoded with an 
asyimnetric encrvptioii key 

Bellovin does not teach or suggest the claimed combinations, Bellovin discusses 
both symjoaetric key cryptosystems and asymmetric key cryptosystems (see e.g*, col. 2, 
lines 40-68 and following). Bellovin uses symmetric key encryption "to encrypt the 
initial asymmetric key exchange; to trade challenges and responses, and to protect the 
ensuing application session." See coL 12, lines 63-68. However, Bellovin does not teach 
or suggest the combinations claims wherein for example a "first message [includes the] 
. . . first shared random number . . . [and is] encoded with a symmetric encryption key . . . 
[and] a second message . . , [includes the] second shared random number . . . [and is] 
encoded with an asymmetric encryption key . . . 

Applicant in his disclosed exemplary illustrative non-limiting implementation uses 
a symmetric key to encrypt the transmission of the first asymmetric key as well as the 
first random nxunber precursor to the symmetric session key. In contrast, Bellovin' s 
algorithms require multiple uses of the same symmetric and asynwnetric keys, and the use 
of more key pairs and more data exchanges. Applicant's exemplary illxtstrative non- 
limiting algorithmic implementation detailed in appUcant's specification provides for the 



^ Amended icidqjeiidcat claim 24 recites in combination; 

"receiving a jBbrst message including a fijst shared random number from said second communicating party, 
said first message being encoded with a symmetric encryption key; . . . transmitting a second message to said first 
communicating parry, said second message including a second shared random number, and said second message 
being encoded with an asymmetric encryption key . . 

Amended independent claim 1 12 recites in combination; 

"identifying a first shared random number associated with a first message from said second communicating 
party, said first message including said first shared random number, and said first message being encoded with a 
symmetric encryption key; receiving a message including a second shared random ncumbcr from said first 
conununicating party, said second message being encoded with an asymmetric encryption key . . . . " 
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tise of only one symmetric and one asymmetric key exchange, in a particular order, and 
generated by specific parties in the exchange, optimized to provide a more secure, more 
efficient, faster algorithm for real-world use. 

Conclusion 

In view of the foregoing, it is respectfully subxmtted that the above-identified 
pateat apphcation is in condition for allowance. A Notice of Allowance is therefore 
respectfully requested. The Examiner is encouraged to contact the undersigned at the 
telephone number provided below to resolve any remaining questions or issues. 



RWFiejs 

901 North Glebe Road, 1 1th Floor 
Arhngton, VA 22203-1 808 
Telephone: (703) 816-4000 
Facsimile: (703) 816-4100 



Respectfully submitted, 




Robert W. Paris 
Reg. No. 31,352 
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SYSTEM AND METHOD FOR ESTABLISHING SECURE 
COMMUNICATION 

BACKGROU>fD OF THE im^ENTlON 

FIELD OF THE n>JVB>mON 

[0001] This invontion The technology herein r elates to encoding systems 
and protocols, and more specifically to systems and protocols for establishing a 
shared secret key for two-way secure communications. 

DRSCRrPTION OF RELATED ART B ACKGROUND AND SUMMARY 

[0002] When two parties wish to communicate securely, an efficient 

mechanism for doing so is the use of a shared secret session key, i.e., a key known 
only to the two parties that can be used symmetricaUy to both encrypt and decrypt 
messages between them for the duration of a communication session. Various 
methods exist to, achieve this, and each have advantages and disadvantages. 
[0003] Parties can use a trusted key authority that distributes the shared 

secret key to each of them separately using their unique key encryption key. 
However, this technique requires the storage of keys-i.e., it is not portable with a 
user, and if a key encryption key is compromised the system loses its integrity and 
past conununications can be decrypted. 

[0004] The "Diffie-Hellman" technique, described in U.S. Pat, No. 

4,200,7703 permits generation of a shared secret key without the use of encryption. 
Each party generates a large random number. By way of example, party A 
generates the number X and party B generates tte number Y. Each party sends its 
number througji a particular kind of one way function and transmits the output. 
Only knowledge of one ntunber (X or Y), and the value of the other number sent 
through the one-way function is sufficient to generate the shared secret key. A 
drawback of the DifFie-Hellman technique is that each side tises a non-shared 
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random number (X or Y) in indq)endently generating the shared secret key. A 
result of the use of non-shared random numbers is that each side performs large 
exponential and modulo calculations when performing one-way functions and 
generating the shared secret key, resulting in a high computational load on both 
sides. These calculations are required in order to make it computationally 
infeasible for an eavesdropper to combine the two-shared numbers in order to 
obtain the shared secret key. 

[0005] Variations on the Diffie-Hellman technique exist that attempt to 

make it more secure* These variations suffer from the same computational burden 
as the standard DiflTie-Hellman technique. For example, U.S. Pat* No, 5,953,424 
describes a system with a modification of the key generation technique. In 
addition to the usual DlfBe-Hellman computations on the original numbers (X and 
Y) and the transmitted numbers (which result from calculations), the '424 patent 
describes extra factors that may be combined with the standard Diffie-Hellman 
factors. These factors are not transmitted, so they must be knowable in advance by 
the communicating parties. 

[0006] Another variation of the DifBe-Helhnan technique is disclosed in 

U.S. Pat. No. 5,440,635. In this variant, the transmitted numbers are further 
encrypted using a symmetric key cryptosystem before being transmitted. This 
doesn't ameliorate any of the disadvantages of DifEe-Hellman, noted above, 
[0007] A message exchange technique employing a combination of public 

and private key cryptography to commxmicate a secret key from one party to 
another is described in U.S. Pat No. 5,241,599. The '599 patent requires that each 
party share knowledge of a secret, A calling party generates a random pubhc 
key/private key pair, and communicates the pubhc key to the called party using 
their shared secret. The called party then communicates the secret key to the 
calling party using both the pubhc key and the shared secret. The technique of the 
'599 patent suffers from several limitations. The calling party must generate a 
random public key/private key pair^ which is a costly computation that is often 
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preferably perfonaed by the called party. Also, the secret key may be 
compromised in advance by manipulating the called party to affect the secret key 
it uses or computes. No manipulation or compromise of the calling party is 
required. 

{0008] What is needed is a system and method for establishing secure 

communication. 

SUMMARY OF TIIE I^ATEOTIOM 

[0009] ft»ift an obj e ct of the preoont invontio n The exemplary illustrative 

Don-Umiti Tip; techn ology herein- ^a provides an encoding protocol for 
communicating parties to each obtain a shared secret key. 

[0010] One advantage of the proacnt inventio n exemplary illustr a tive non- 

limiting technology herein is that it is less computationally intensive than previous 
cryptographic systems to obtain a shared secret key. 

[0011] Another advantage of the pr e sent inventio n exemplary illustrative 

non-limiting technologv herein is that the calling party is not required to perform 
any large computations. 

[0012] Yet another advantage of the present inventi< m exemplary 

illustrative non-limiting technology herein is that it is highly resistant to attacks, 
including eavesdropping, impersonating a party, replay attacks, tampering with or 
probing a party before or after a commimications session, and password database 
hijacking. 

[0013] Still another advantage of the present invontio n exemnlary 

illustrative non-liTnit ing technology herein is that it can be used either with or 
without certificates or physical tokens such as smart cards or biometric devices. 
[0014] In an exemplarv illustrative non-limiting method for obtaining a 

shared secret ke y according to th e present invontioB ^ a party identifies a first 
shared random number and a second shared random number, and obtains the 

3 

PAGE 21/59 * RCVD AT 12123/2005 8:36:39 AM [Eastern M^^^ 



NIXON & VANDERHYE PC Fax:703-816-4100 



Dec 23 20G5 8:42 



P. 22 



shared secret key from an output of a combining function having a first input 
including the jSrst shared random number and having a second input including the 
second shared random nximber. 

[0015] In a further aspect of th e exemplary illustrative aoB-limiting 

implementation present invention, the shared secret key is used to transform 
messages. 

[0016] In another exemplary illustrative non-limiting impIementationa sBeet 

of th e present invention , a party encodes a first shared random number, decodes a 
second shared random nuooaber, and obtains the shared secret key from an output of 
a combining function having a first input including the first shared random number 
and having a second input including the second shared random number. 
[0017] In a further exemplarv illustrative non-limiting 

implementatio no Gooct of th e prcs o nt invention , a party encodes a first shared 
random mmiber and a second key using a first key obtained using information 
obtained from a password; decodes a second shared random number using a third 
key; and obtains the shared secret key from an output of a combining function 
having a first input including the first shared random nxunber and having a second 
input including the second shared random number. 
[0018] In a still further nr.poct of th e pr e s e nt tnvontio n excmplarv 

illustrative non-limit inp; impl ementation, the second key and the third key form an 
asymmetric key pair. 

[0019] In another n^poct nf thc pr e sent invontio n exemplarv illustrative non- 

iimitir^ implementation, a party decodes a first shared random number, encodes a 
second shared random number, and obtains the shared secret key from an output of 
a combining function having a fijrst input including the first shared random number 
and having a second input including the second shared random number. 
[0020] In a further nr , pnr.t r>f thn pr ft r .e nt inv e ntio n exemplarv illustrative 

non-limiting implementation, a party decodes a first shared random number and a 
second key using a first key obtained from infomiation obtained from a password, 
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encodes a second shared random number using the second key, and obtains the 
shared secret key fronci an output of a combining function having a first input 
including the first shared random number and having a second input including the 
second shared random number, 

[0021] In another aspect of tho preseat - inventio p exemplarv illustratiye non- 

limitiTip; im plementation, a party communicates a first shared random nimiber and 
a second shared random number, and obtains the shared secret key from an output 
of a combining function having a first input including the first shared random 
number and having a second input including the second shared random number. 
[0022] In a further asp e ct of tho pronent - inv e ntio n exemplarv illusttBtive 

non-limiting implementation , the party communicates an asymmetric key and a 
timestamp with the first shared random number, and a timestamp with the second 
shared random number. 

[0023] In still another aspect of th e present inventio n exemnlarv illustrative 

non-limitin g implementation, a device including at least one processor executes 
software iostructions identifying a first shared random number and a second 
shared random number, and obtaios the shared secret key fi-om an output of a 
combining function having a first input including said first shared random number 
and having a second input including said second shared random number. 
[0024] In yet another Aspect of th e pr e s e nt inv e ntio n gxcmplary illustrative 

non-limiting implementation, a machine-readable storage medium contains 
instructions for a processor, including encoded computer means for identifying a 
first random niunber, encoded computer means for identifying a second random 
number, and encoded computer means for obtaining the shared secret key fi"om an 
output of a combining function having a first input including said first shared 
random number and having a second input including said second shared random 
number. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

[0025] These and other features and advantages will be better and more 
completely understood bv referring to the following detailed description of 
exemplary non-lixnitlng illustrative implementations in conjunction with the 
drawings of which: 

[0026] FIG, 1 a illustrates a n exemplary illustratiye non-limiting peer-to- 

peer embodiment th e present inventio n, including various cmbodim eHte 
exemplary non-limiting implementations o f each peer. 
[0027] FIG. lb illustrates an exemplary illustrative non-limiting client- 

server embodiment th e present invention , including various embodiments of a 
client. 

[0028] FIG. 2 illustrates a sequence of exemplary illustrative non-limiting 

operations performed by a peer, a client, or a serve r according to tho proqent 
inv e ntion . 

[0029] FIG, 3 illustrates a n exemplary illxistrativc non-limiting sequence of 

operations performed by a calling party in a peer-to-peer embodiment, or a client 
in a client-server embodiment of the pxoomt inv e ntion . 

[0030] FIG. 4 illustrates a sequence of exemplary illustrative non-Hmiting 

operations performed by a called party in a peer-to-peer embodiment, or a server 

in a client-server embodimen t of th e present iavention ^ 

10031] FIG. 5 illustrates a packet that may be used in a n exemplary 

illustrative non-limiting signal embodiment of the present invention . 

[0032] FIG. 6 illustrates a sequence of actions and communications among 

a user, a calling party, and a called party in one exemplary illustrative non-limiting 

embodiment of the present inv e ntion . 
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DETAILED DESCRIPTION OF THE PREFEPJRED EMBODIMENTS 

[0033] The pr e sent inventio n exemplary illustxative non-Umiting 

technology herein provides a system and method for two parties to determine a 
shared secret key. Each party identifies a first shared random nximber and a second 
shared random number. Then, a combining fimction is used to obtain a shared 
secret key using the first shared random number and the second shared random 
nimiber. Hence^ knowledge of the combining fimction coupled with knowledge of 
the first shared random mmiber and the second shared random number is sufiBcient 
to obtain the shared secret key. It is preferred^ therefore, for the shared random 
numbers to be commuiucated between the parties without pemodtting would-be 
attackers to leam both shared random numbers. In some exemplary illustrative 
non-limiting embodiments, this is accomplished by using a password. Specifically, 
each party has access to either information obtained from a password, or of the 
j password itself In an exemplary illtistrative non-limiting p referr e d embodiment, 
the password is associated with a user, 

[0034] A shared secret key may be used along with a symmetric encryption 

system such as IDEA (International Data Encryption Algorithm) in order to 
efficiently and securely perform communications between two parties* It is 
desirable that the shared secret key be secure and that the two parties authenticate 
each other, while minimizing the computational load necessary to obtain the 
shared secret key. 

[0035] The system and method of the pr e s e nt inventi(» exemplary 

illustrative non-limiting technology herein can be implemented in a local area 
network, wide area network, public access network (e.g., Internet), in a network of 
networks such as a hybrid network, or in other communication environments as 
would be apparent. In a network implementation that conforms to the OSI model, 
the shared secret key may be viewed as a session key. In an OSI-compliant 
exemplary illustrative non-Umiting embodiment, the protocol of th e present 
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j invention for obtaining a shared secret key resides at layers 5 and/or 6 of the OSI 
model, and supports secret key based encoded transport of any developer-defined 
or selected client-server or peer-to-peer protocol. In addition, a user authentication 
graphical user interface (GUI) for any developer-defined applications maybe 
provided above the exemplary illustrative non-limitina p rotoco l of th e pres e nt 
invention ^ as w^ould be apparent In addition, the exemplary illustrative non- 
limiting p rotocol of th e present invention m ay be encapsulated within another 
protocol such as a firewall, a virtual private network, or both, or any other protocol 
as would be apparent. With encapsulation, an application benefiting from the 
authentication and encoded transport of the exemolarv illustrative non-limiting 
implementation p r e sent invention -does not need to be aware of the details or even 
the existence of the underlying protoco l of th e present in^^ention . 
[0036] In generating a shared secret key according to some exemplary 

illustrative non-limiting embodiments, the system and method o j^ th e pr e s e nt 
invention p rovides a secure and robust user authentication protocol, based on 
asymmetric key encoding. In an exemplary illustrative non-limiting p r e ferr ed 
embodiment, a first party communicates a pubhc key to a second party using 
information obtained from a password associated with a user of the second party. 
The first and second parties exchange shared secret keys which no outside 
observer can obtain without information about the password and information about 
a private key associated with the public key, which is not commimicated. 
[0037] FIG. la and FIG. lb depict exemplary illustrative non-limiting 

embodiments of the environmen t - of th e pr e s e nt invention , FIG, la shows an 
exemplary peer-to-peer embodiment Users 101a through lOle and 105a through 
105e are graphically depicted as human xisers for ease of representation, although 
they may be automated entities such as applications, daemons, or other 
electronically-driven users. A user need not be associated with a particular human 
if it is a non-human user such as a software-driven user, although it can be. Calling 
users 101 communicate with (i.e., are connected to) exemplary calling platforms 
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102a through 102d, and called users 105 coromunicate with exemplary called 
platforms 104a through l04d, 

10038] The term 'party' may refer to a user, a platform, or both a user and a 

platform with which the user is associated. In one exemplary illustrative non- 
limiting embodiment a calling party is a party that initiates a communications 
session; and a called party is a party that responds to a calling party's initiation of a 
communications session. Network 103 represents any network or network of 
networks* such as the Internet, and may include firewalls, virtual private networks, 
and any kinds of connections (e.g., wireless, Ethernet, etc.), routers, gateways, 
protocols, and other components as would be apparent. Exemplary platforms 102 a 
and 104a represent laptop computers, which maybe connected to network 103 via 
wire-line or wireless connections, as would be apparent. Exemplary platforms 
102b and 104b represent woricstations or personal computers. Exemplary 
platforms 102c and 104c represent handheld devices. Exemplary platforms 102d 
and 104d represent servers, which may be better equipped than the other 
exenq>lary platforms to handle simultaneous connections to multiple users 
including remote users, as illustrated. Other platfomis may be used, such as a 
dmnb terminal, as would be apparent. For the purposes of this specification, a 
platform may comprise one or more pieces of hardware, a process running on the 
hardware, a process in memory or storage, or a combination thereof. For example, 
platforai I04d may represent the physical server, i.e., the hardware comprising the 
server. Alternatively, platform 104d may represent a server process running on the 
server or in memory on the server. As an additional alternative, platform 1 04d 
may represent a combination of these things, A non-human user may be ruiming at 
least partially on a platform with which it is associated, or it may be ruiming 
completely remotely. The meaning of platform varies throughout the specification, 
and is in each case subject to any of the interpretations just enumerated. 
[0039] FIG, la depicts a peer-to-peer configuration, in which a party 

(possibly including one of exemplary users 101a through lOle and/or one of 
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corresponding exeixxplary platforms 102a through I02d) may be either a calling 
party or a called party. Similarly, any of exemplary users 1 05a through 1 05e 
and/or a corresponding exemplary platform 104a through 104d, could be either a 
calling or a called party. FIG. lb represents a client-server configuration in which 
a client (possibly including one of exemplary users 101a through lOle and/or one 
of corresponding exemplary platfornis 102a through 102d) is the calling party and 
a party on the server side, including user 105d and/or server platform 104d is the 
called party 105d. The pr e s e nt inventio n exemplarv illustrative non-limiting 
technology herein may be used to connect parties, including a calling party and a 
called party to provide for authentication and/or secure communication between 
the calling party and the called party, through network 1 03. 
[0040] A randona number has the property that it is difficult for a would-be 

attacker to determine the random number without obtaining information 
characterizing the random number. A random number that is either communicated 
or intended to be conmumicated between a calling party and a called party is 
referred to as a shared random number. In order to connnunicate a shared random 
number, a party may send or receive the shared random number or information 
from which the shared random number may be obtained without additional 
infoixnation specific to the shared random number and without an astronomical 
number of computations. A shared random niunbcr may be sent or received by 
transmitting or receiving over a communications channel or a network information 
from which the shared random number may be easily inferred, such as the shared 
random number itself. 

[0041] The prosont invention exemplarv illustrative non-limiting technology 

herein employs at least two shared random numbers to obtain a shared secret key. 
The shared random numbers are passed through a combining function to obtain 
information used to determine the shared secret key. A combining function may be 
any function, including a compound function^ i.e., a function of functions, that has 
a furst input including a first number and a second input including a second 
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number. Additionally, a combining function has the property that knowledge of a 
single input to the combining ftinction does not substantially reduce the difficulty 
of determijaing an output of the combining function- It is preferred that a 
combining function be used such that knowledge of a single input to the 
combining function does not reduce the difficulty of determining an output of the 
combining function at all. 

[0042] A benefit of passing shared random numbera through a combining 

function to obtain a shared secret key is that a would-be attacker will be unable to 
compromise the shared secret key by obtaining only one random mmiber, either 
through observation or xnanipidation of a party or its communications, even with 
knowledge of the protocols used and the combining function itself. A combining 
function may involve one or more of a number of operations on its inputs and any 
parameters that might be inherent to the combining function. For example, 
addition, subtraction, multiplication, division, exponentiation, logarithms, 
trigonometric functions, and/or modulo operations could be used. A combining 
function could include a logical function, such as OR, AND, NOR, NAND, XOR, 
and/or XNOR, blending or merging (scaling, and then addition), bit shifting, 
concatenation, truncation, or any combinations thereof. Additional operations, 
conditional operations, and various combinations of opemtions, in serial and/or 
parallel may be used, as woxild be apparent. In an exemplai-y illustrative non- 
limiting_ p referred -embodiment, an XOR operation is used, which would permit the 
use of a combining function as simple as specifying an output of a combining 
function to be equal to an XOR of two inputs. 

[0043) FIG* 2 illustrates a set of steps performed by a party in an 

I exemplary illustrative non-lim itinp; embodiment of th e present invention . In step 
201, the party shares a fnrst random number Rl . The random number could be 
shared by being communicated to or jBrom another party, possibly through 
intermediaries. In step 202, the party shares a second random number R2. In step 
203, the party obtains an output K of a combining function fO with a first input 
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including Rl and a second input including R2. In FIGS. 2-4, for ease of 
presentation, an exemplar y illustrative non-limiting embodiment of the combining 
function is shown with two inputs consisting of Rl and R2, respectively, yielding 
K=f(Rl,K2), 

[0044] FIG, 3 illustrates a set of steps performed by a calling party in an 

exemplary illustrative non-litniting embodimen t of th e pr e sent inv e ntion . In an 
exemplary illustrative non-limiting client-server embodiment, FIG. 3 illustrates a 
set of steps performed by a client. For ease of description, the party ejcecuting the 
steps in FIG, 3 will be referred to as a 'calling party,' which encompasses the term 
'client' In step 301, the calling party receives a jfirst shared random number Rl . In 
step 302, the calling party sends a second shared random number R2, In step 203, 
the calling party obtains an output K of a combining function f( ) with a first input 
includiog Rl and a second input including R2. 

[0045] FIG. 4 illustrates a set of stq>s performed by a called party in an 

I exemplary non-limiting embodiment e f th e pr e s e nt invention . In an exemplMV 
client-server embodiment, FIG. 4 illustrates a set of steps performed by a server. 
For ease of description, the party executing the steps in FIG. 4 will be referred to 
as a 'called party," which encompasses the term 'server." In step 401, the called 
party sends a first shared random number Rl . In step 402, the called party sends a 
second shared random number R2. In step 203, the called party obtains an output 
K of a combiaing function fQ witb a first input including Rl and a second input 
including R2. 

[0046] When a party communicates information, it may do so over network 

103. In order to send information, the information may be encoded to comply with 
a communications protocol. It may further be encoded with keys, passwords, or 
hiformation derived therefirom. Encoding with keys or passwords or itxfonnation 
derived therefirom may comprise encryption, or other forms of transforming data 
as would be apparent. If information is sent through network 103, it may be 
encoded in packets, such as IP packets. An exemplary IP packet is illustrated in 
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FIG, 5, The IP packet of FIG. 5 includes an IP header 501 including a source 
address 502 and a destination address 503, and embedded data 504 mcluding part 
of the information sent through the network. When a party receives information 
through network 103, it may decode information according to a network protocol, 
such as the Internet Protocol. Information may be decoded with keys or passwords 
or information derived therefrom. Decoding with keys or passwords or 
information derived therefrom may comprise decryption. Decoding of information 
may also comprise parsing, in which information is extracted from data passed 
through a network, such as a packet or packets. 

[0047] Information communicated over network 103 is propagated through 

network 103 between communicating parties. Networks may comprise many kinds 
of links, includmg wireless links. Signals sent over the network may be embedded 
in a carrier wave, and may be propagated^ e.g., as an analog or a digital signal. 
[00481 If keys or passwords, including information derived from them are 
used to encode ox decode uiformation, then a key or password may itself be 
encoded. In one exemplary illustrative non-limiting e mbodiment a password is 
encoded to obtain a 128-bit key. One method of performing this encoding is as 
follows. In a first step, Icase.oval-hollow. is used to transform all alphabetic 
characters to lower-case. In a second step, characters are transformed based on a 
stored table. In a third step, all bits in the transformed representation of each 
character are concatenated. In a fourth step, the resulting bit stream is repeated 
xmtil the total bit length is 128. In a fifth step, IDEA is used to encrypt the original 
password using the 128-bit stream as the secret key. In a sixth step, the cyphertext 
is padded to create a 128-bit key, which may be used to encode and/or decode 
information. 

[0049] The above method for encoding a password is an example of using a 

one-way function. A one-way function has the property that it is computationally 
infeasible to determine an input to the function by using an output of the function. 
The six-step method for encoding the password is equivalent to passing the 
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password through a function. In this case, it is a one-way function because the 
encrypting step makes it computationally infeasible to recover the input by using 
the output. Another example of a one-way function is a hash. 
[0050] FIG. 6 illustrates an exemplary illxistrative non-limiting - ^pyefefFed 

embodimen t"Of th e pr e sent invention . The four columns of the figure represent 
users and platforms. Specifically, column 101 represents a calling party, column 
102 represents a calling platfoim, column 104 represents a called platform, and 
column 105 represents a called user. Calling user 101 is connected to calling 
platform 102, and called user 105 is connected to called platform 104. Arrows 
represent messages sent between the four entities (columns) in FIG. 6, and 
nximbers without arrows represent operations that may be performed by either or 
both of the adjacent columns. For example, step 601 represents a message sent 
from calUng user 101 to calling platform 102, and step 604 represents a step that 
may be performed by called platform 104, called user 105, or both. 
10051] In step 601, calling user 101 sends user identification information 

(User ID) and a password to caUiog platform 102. The password does not need to 
be placed in storage on calling platform 102, and coxild be held in memory on 
platform 102 just long enough for it to fulfill its xise. If calling user 101 is a human 
user, the action of sending the User ID and password to platform 102 could be 
triggered by the action of the human user typing in the User ID and password on a 
keyboard or other alphanumeric input device. In step 602, calling platform 102 
sends information to called platform 104 including infomiation obtained from the 
User ID and information concerning a protocol and version that calling platform 
102 is capable of using. 

[0052] Step 603 is carried out by the calling party, which may comprise 

calling user 101, calling platform 102, or both. In step 603, a first key, denoted 
Kuser> is generated using information obtained from the password. In some 
I exemplary illustrative non-limiting embodiments, the first key is generated as an 
output of a one way function having an input including the password. In other 
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embodiments, other methods of encoding the password may be used to obtain 
KuscT- Other methods may be used to obtain Kuser. as would be apparent, 
[0053] Steps 604 through 606 are carried out by the called party, which 

may comprise called platform 104, called user 105, or both. In step 604, the called 
party identifies a first shared random number RL This and other identification 
steps could comprise, for example, generating Rl, looking up Rl in a table, 
obtaining Rl from an external source, and/or other methods as would be apparent. 
In step 605, the called party identifies an asymmetric key pair comprising two 
corresponding asymmetric keys^ e.g., a public key and a private key. For ease of 
representation, the two asymmetric keys are denoted KpubUc and KpHvate. 
[0054] In step 606, a first key, K^gcr, is obtained by using information 

obtained fi:om the User ID. In some client-server embodiments, the first key is 
obtained by perfoiming a table lookup using information obtained fix)ra the User 
ID. For example, one embodiment that uses a first key comprising an encoded 
password requires the called party to have access to a table of passwords, which 
are indexed by User ID. In this way, step 606 may be performed by looking up the 
password in the password table using the User ID or information obtained 
therefirom, and sending the password through a one-way function to obtain the first 
key. Alternatively, the password table may contain encr/pted or encoded 
passwords, and a simple table lookup may be tised to obtain the first key without 
an extra encoding step. In another embodiment, the password table is itself 
encoded. The table could be encoded as a whole, or it could be broken into sub- 
tables or fields, with each sub-table or field encoded separately. If the password 
table is encoded, the called party may decode the table or a relevant part of it as 
part of step 606. 

[0055] Step 606 may be performed in other ways. For example, in some 

embodiments including a peer-to-peer embodiment, information obtained from the 
User ID is used to obtain from a trusted third party either the first key or 

information used to generate the first key. 
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[0056] In step 607, the called party sends the calling party a first message 

encoded with the first key, K^s^r- The first message includes tbe jBurst shared 
random number, Rl^ and one of the two asymmetric keys identified in step 605, 
which we arbitrarily denote Kpubiic- Th^ message also includes a timestamp in 
some embodiments^ although in a preferred embodiment timestamps are not used 
j because of timing synchronization issues. The first message may be denoted Kugcr 
(Rl ^Kpubiicstimestamp). 

[0057J Steps 608 and 609 are perfonned by the calling party, comprising 

the calling user 101 and/or the calling platform 102. In step 608, the first message 
is decoded. In order to decode the first message, the calling party uses Kuser . Then, 
Rl and Kpubiic s^re obtained from the first message. One method to obtain Rl and 
Kpubiic from the first message is to parse the message, including any header 
information that may exist. If the first message includes a timestamp, tiien it may 
be obtained from the first message and compared to the actual time. In step 609, a 
second shared randotn number R2 is identified. 

[0058] In step 610, the calling party sends the called party a second 

message encoded with the asymmetric key Kpubiic* The second message contains 
the second shared random number R2. The second message also includes a 
timestamp in some embodiments, although in a preferred embodiment timestamps 
are not used because of time synchronization issues. The second message may be 
denoted Kpy^uc (R2»timestamp). 

[00591 Step 61 1 is carried out by the called party. In step 61 1, the second 

message is decoded using the other asymmetric key, Kpnvates to obtain R2. One 
method to obtain R2 from the second message is to parse the message, including 
any header infoiroation that may exist. If the second message includes a 
timestamp, then it may be obtained from the second message and compared to the 
actual time. 
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[0060] Step 612 is carried out both by the calling party and by the called 
party. In step 612, the shared secret key, Kgs, is obtained from an output of a 
combining function having a first input including the first shared random number 
and a second input including the second shared random number. In one 
embodiment, the shared secret key is the output of a combining function having 
two inputs consisting of the two shared random numbers. This is denoted by 
Kss=f(Rl,R2). 

[0061] In step 613, the two parties conmiunicate using K35. K^s may be 

used, e.g., in any symmetric encryption system to transform messages. A sender of 
a message transforms the message by encoding it using Kss, and a receiver of a 
message transforms the message by decoding it using Kss* 
[0062] The present in\^ e [ntiQ n exemplary illustrative non-hmiting 

technology herein may be used with client/server and peer-to-peer embodiments. 
In a peer-to-peer architecture, the called party could also j>re-generate keys. A 
problem with peer-to-peer is that password management becomes difficult because 
there is no centralized repository. Because password information is extremely 
sensitive, passing passwords becomes a challenge. 

[0063] Use of the present invcntio nc xemplarv illustrative non-limiting 

implementations herein accrues numerous benefits. One benefit is that there is no 
need to use certificates. Therefore, there is no need to register with Certificate 
Authorities and keep them up to date. This removes an external source of 
unnecessary problems-a Certificate Authority's errors. Furthermore, if a user 
wishes to log in to a server using a cUent-server embodiment of th e presen t 
i nv e ntion , then any computer logged in to (i.e^^^ used as a client) can inunediately 
have access without ensxiring that the computer has been registered with a 
certificate authority. 

[0064] Another benefit of the pres e nt inv e ntio n exemplary illustrative non- 

limiting technologv herein is that in some embodiments keys are not stored on 
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local computers. In embodiments in which keys are generated dynamically, keys 
never need to be stored on a Jfilesystetn, Storing keys on the system allows 
someone who is capable of compromising a computer to steal the keys, and 
decrypt messages past, present, or future. In some exemplary illustrative non- 
limiting embodiments of th e preoont i n v eeation, keys are constantly changed and 
never stored on a computer's hard drive. 

[0065] Yet another benefit of the exemplary illustrative non-limiting 

implementations p regent invention i s that it is not necessary for a calling party to 
generate keys, Generating asymmetric key pairs can be computationally 
expensive, resulting in system delays- A calling party may have access only to 
limited computational resources. If an asymmetric key pair is generated on a 
limited machine, connection times between 15 seconds and nearly 2 minutes are 
typical using current hardware and algorithms. As keys take more computing 
power to generate, which is likely because the requirements of key size will 
increase, the exemplary illustrative non-limiting implementation p resent inventioH 
will allow a quick logon time from a computationally limited calling party. In 
some client-server embodiments, a server may generate keys constantly (i.e., semi- 
dynamically). Semi-dynamic key generation in a client-server embodiment allows 
connection latency to be independent of client and server hardware requirements. 
[0066] Still another benefit of the pronont invontio n exemplarv illustrative 

non-limiting technologv herein is that human users don't need to bring an5Uiing 
with them when connecting to another party in a peer-to-peer embodiment or 
logging on in a client-server embodiment. All that a human user needs to supply is 
a password. There is no need for a human user to cany a floppy disk with his or 
her stored "authorized key pair," which reduces the potential for human error, e.g., 
an administrator emailing a key pair to a human user. Also, there is no need for a 
human user to have a physical token to log on. This enables true mobility by 
preventing the need for hardware such as a SmartCard reader. 
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[0067] A security benefit of the present inventio n exemplarv illustrative 

non-liinitiiig technology herein comes from the double integrity of the shared 
secret key. In tifte -an exemplary illustrative non-limiting implementationp ^eseat 
inv e ntion , the shared secret key is not sent in a single message. The shared secret 
key is computed based on the values of two shared random numbers. The first 
shared random number is encoded xising a function based on the password The 
second shared random number is encoded using a random public key. So even if 
someone were able to somehow steal a user's password, he still would have no 
way to decrypt the messages that the user had transmitted in the past. Secure data 
remains secure. 

[0068] Tlie double integrity of the shared secret key adds another benefit: if 

an attacker is able to penetrate a party and manipulate it prior to or during a 
commimications session, it might in this way be able to weaken, sabotage, specify, 
or intercept a shared random ntimber. However, without the other shared random 
number, the attack would not yield the shared secret key. No attack that targets 
only one shared random number can weaken the shared secret key. 
[0069] The present inventio n exemplarv illustrative non-lirniting technolo^ 

herein provides strong security protection in obtaining a shared secret key. The 
following are some exem plary illustrative non-limiting examples of attacks that 
are thwarted by th e technology herei n -system and method - of th e present inv e ntion : 

• No password eavesdropping 

• No form of the password is ever sent, so one could never obtain the 
password. 

• No password database hij acking 

• The password database itself is encrypted, so one would never be 
able to grab any form of the password, to launch an off-line 
password guessing attack, 

• No reflection (man-in-the-middle) attack 
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• At no point can a message be pulled from one atithentication 
session, and used sensibly in a different session, to obtain access to 
keys or messages, 

• No replay attack 

• Because of the use of timestamps in some exemplary illustrative 
non-limiting embodiments of th e pr e s e nt inv e ntion , it is not possible 
to use xmtampered messages to cause either party to undergo 
processing that would ordinarily prohibit a vahd user from gaining 
access to the system. 

• No impersonating called party 

• Impersonating the server would never gain an impersonator access 
to a password, because no form of the password is ever sent by the 
calling party. (X^e called party uses a function of the password as a 
key.). For this matter, it would never make sense for an attacker to 
impersonate the called party. 

[0070] The specific algorithms and steps described herein, as well as the 

basic steps which such algorithms represent (even if they are replaced by different 

algorithms), are designed for implementation using general purpose 

nodcroprocessors. Furthermore, each of the algorithms and steps described herein, 

as well as the basic steps represented by such algorithms, can be encoded on 

computer storage media such as CD ROMS, jfloppy disks, computer hard drives, 

and other magnetic, optical, other machine readable media, whether alone or in 

combination with one or more of the algorithms and steps described herein. 

[0071] Although the methods discussed herein have been described in 

detail with regard to some exemplary embodiments and drawings thereof, it should 

be apparent to those skilled in the art that various adaptations and modifications of 

the methods can be accomplishe d without departing from th e spirit and the scope 

of th e iri^^ention . Thxis, by way of example and not of limitation, the methods are 

discussed as illustrated by the figures. Accordingly, the invention is not limited to 
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the precise embodiments shown in the drawings and described m detail 
hereinabove, but is set out in the following claims. 
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